We Keep Coding

Parameterized query for MySQL in RStudio

I want to run a parameterized query in MySQL database from RStudio.
Like there is a table, say TEST, which contains name and age columns. I want to fetch data from TEST where age > 30. I can use paste() to build the query but I want the value 30 as a parameter.
So I was trying the below code :
> myQ<-dbSendQuery(conn,"SELECT * FROM TEST WHERE age > ?")
> dbBind(myQ,list(30))
> dbFetch(myQ)
But after the 1st line it is giving the below error :
Error in .local(conn, statement, ...) : could not run statement:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '?' at line 1
Can anyone please help me on how to achieve this?
Edit 1
I can achieve this using the below code, but I don't want this :
> age<-30
> myQ<-dbSendQuery(conn,paste("SELECT * FROM TEST WHERE age >",age))
> dbFetch(myQ)
Is there any way to achieve my requirement?
Edit 2
See the screenshot below, for reference go this link

You may be using the legacy 'DBI' interface RMySQL::MySQL() as your driver for DBI::dbConnect(). The error you got cleared up for me when I switched to the suggested RMariaDB::MariaDB() driver. Per your screenshot, the DBI docs do imply the RMySQL driver.

spring boot get data from mysql table given by url

I want to create simple app to search some data in specific table.
I've got one database and can connect to it.
Also when I hardcoded table name it works great.
But I want to make url like that:
/demo/{table}/{author}
It should work that i give specific table for eg. 'comedy' and next I set name of author for eg. 'smith'.
My booksRepository:
#Query(value = "SELECT * FROM :table WHERE author = :author",
nativeQuery=true)
public List<Book> findByAuthor(#Param("author") String author, #Param("table") String table);
But it didn't work. I've got error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''comedy' WHERE author = 'Smith'' at line 1
It's adding ' to Query. Is there way to delete that? Is it possible or I need to put everything in one table?
Cheers :)

I haven't looked it up, but it seems that the variables in the query SQL can only be used to insert quoted values, not unquoted identifiers like a table name.

VFP 9 - MySql Error in SQL Syntax

Connecting from VFP 9 To MySql
lnTestForExisting=SQLEXEC(m.WorkingDatabase, "SELECT student_id, date_treated, where_treated, treatment, id AS CloudId ;
FROM medical WHERE school_id=?lcSchoolId AND downloaded_to_desktop!='Y'","StudentsMedFromServer")
Works Fine Data comes down just like it should then when I go to send the update back to the server using this
lnGoodServerUpdate=SQLEXEC(m.WorkingDatabase,"UPDATE SET medical downloaded_to_desktop='Y' WHERE SchoolId=?ServerSchoolId and id=?lnCloudId")
Generates syntax error and says the error is near the Where clause - the value in ?ServerSchoolId is reported as _lati (and then it cuts off I assume the word is _latin)
TIA

Hibernate SQL Injection

I'm auditing a project and I found a way to inject data in a query.
The project uses Hibernate and for this piece of code Session.createSqlQuery() and then a .list()
The SQL is something like : "SELECT * FROM tablename ORDER BY column XXXXXX"
XXXXXX can be modified using Fiddler. So I tried
SELECT * FROM tablename ORDER BY column DESC; truncate table tablename;
Unfortunately (well only for my injection attempt) it's not working and I'm getting :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'truncate table tablename'
My question is, since they're using createSQLQuery, are they safe from injection. If they're not, could you give me an example to highlight the issue.
I tried using %08 (Backspace character) thinking I would be able to delete previous query characters for example (It didn't work ;) )
Thanks.
After some research it seems I won't be able to modify data with this security hole, however using ORDER BY (CASE WHEN ...) would allow to "scan" the tables and the data.

Is the column name specified using a parameterized statement or are you just concatenating text?
ex: in perl::DBI, the drivers support the following syntax:
$dbh->do("SELECt * FROM asdf ORDER BY ?", undef, $order_by);
The ? there is a form of parameterized statement which sanitizes the input automatically.

MySQL - Data with the symbol "&"

I have the below data in my MySQL table "categories":
id Name
-----------------
1 Books & CDs
2 Dress
When I try to get the value from table it works fine with below SQL.
SELECT * FROM `categories` WHERE `name` = 'Books & Cds';
But when using in PHP, it gives me some SQL error.
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' at line 5
Where can I find the actual reason for this? How to debug this?

If you want to search for rows in your Category table in your PHP code, I recommend that you add a column in your table for a code to use instead of searching on the name that you use for the end users. The potential problem that you're facing is that if you want to change the name of a category, you'd have to find everywhere in your code that you referred to that category by name and change it too. But if your table looked like this:
ID code name
1 BCDS Books & CDs
2 DRS Dress
then your code can do things like "where code = 'BCDS'" and you can call that category "Books & CDs", "CDs and Books", or anything else you like.
Now, as far as fixing your syntax problem, you'll have to post the PHP that you use to generate the query that fails. As another poster said, you're probably escaping something incorrectly and MySQL isn't getting the query you think it's getting.